by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : September 15, 2015
25 acquire shadow IT services are also unlikely to implement the procedural controls necessary to protect data, such as ensuring that when a user leaves the organization, his or her sensitive data stored in shadow IT is scrubbed and the user’s access to all shadow IT applications is terminated. A final security concern with shadow IT regards how agency use of a specific cloud service may be affected by federal regulations. For some regulations, simply storing affected data in a public cloud is a compliance violation, regardless of the security measures in place. More broadly, the use of shadow IT is unlikely to support compliance efforts because shadow IT usage is often unaudited, unmonitored and insufficiently secured. Mitigating Shadow IT Security Concerns Users who have a job to do will often go to great lengths to ensure that it gets done, even if this means using shadow IT solutions that violate agency and compliance requirements and put sensitive data at grave risk of compromise. IT departments cannot stop all shadow IT use, so security team members should strive to become trusted advisers to their user community instead of the shadow IT police. This allows the security team to educate users on security policies, procedures, technologies and risks, as well as to guide them in ensuring that their IT acquisitions are properly secured. Increasing security awareness throughout the organization typically increases buy-in to the security program as well. This is not meant to imply that IT departments should take a hands-off approach to shadow IT; on the contrary, it is essential that they be involved in both proactive and reactive ways. IT departments should identify existing shadow IT SaaS usage through an audit. Tools and services are available that can identify “A higher-level concern is that shadow IT users are unlikely to conduct a risk assessment before acquiring and using these services. Without assessing risk, IT leaders have no way to determine what vulnerabilities are present and how they should be mitigated to bring risk down to an acceptable level. which cloud services are being used by an agency. Some existing enterprise security technologies, such as next- generation firewalls (NGFWs) and web security gateways, can also identify SaaS usage. Agencies can also acquire cloud- application control systems, which closely monitor all SaaS usage, including details about the applications being utilized and the actions of each user. This allows for granular auditing and access control of SaaS usage throughout the enterprise. Regardless of the method used, identifying SaaS usage allows the IT department to assess the scope of its shadow IT. The IT department can then act to assess risk for its shadow IT and determine any changes necessary to bring risk to an acceptable level. This may simply involve adding some security controls to existing shadow IT. For example, an agency may ensure that before files can be uploaded to a file-sharing service, they are first encrypted. The organization may also use NGFWs, web security gateways or cloud-application control systems to disable the riskiest functions for certain SaaS applications, or to block all use of particular SaaS applications because they cannot be secured sufficiently. Other common security controls include establishing auditing and security monitoring for SaaS applications so that security incidents and other problems can be identified and handled quickly to minimize damage. The IT department should be proactive with shadow IT by reducing the need for it. Many shadow IT acquisitions happen because the agency doesn’t provide capabilities deemed necessary by the user community, such as advanced collaboration and file-sharing capabilities. Agencies should closely monitor and evaluate new and emerging technologies that may be of value to their user communities. IT leaders should then select one or more SaaS applications that are officially approved to provide these services; this helps to drive users to approved options. Another way in which the security of shadow IT can be proactively improved is by the acquisition of an enterprise identity and access management solution for SaaS use. Such a solution can enable single sign-on to many SaaS applications. This takes a great password management burden off users and ensures that the individual SaaS passwords behind the scenes are unique, strong and regularly changed. Meanwhile, each user has only a single password to remember, often in conjunction with another authentication measure to provide multifactor authentication. Before taking any other measures, every agency should have a SaaS usage policy, which establishes what users can and cannot do. Every user should be educated about this policy. Ultimately agencies have to put more trust their employees, but along with this trust comes responsibility. Users must be made aware of the consequences of their actions, as well as the harm that can come to the organization and to users themselves as a result of irresponsible actions that lead to a breach of sensitive data through improper shadow IT usage. To learn more about cloud security, check out CDW’s Cloud Security Technology Insights Guide.
August 30, 2015
September 30, 2015